TUCoPS :: BSD :: m-072.txt

FreeBSD stdio File Descriptors Vulnerability (CIAC M-072)

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  FreeBSD stdio File Descriptors Vulnerability
               [FreeBSD Security Advisory FreeBSD-SA-02:23.stdio]

April 24, 2002 15:00 GMT                                          Number M-072
[Revised 1 August 2002]
______________________________________________________________________________
PROBLEM:       A vulnerability was discovered that allows a local user to 
               execute a suid application with stdin, stdout, or stderr 
               closed. 
PLATFORM:      All releases of FreeBSD up to and including 4.6-RELEASE. 
DAMAGE:        Local users can gain root privileges. 
SOLUTION:      Upgrade or patch systems. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. A local user account is required to exploit 
ASSESSMENT:    this vulnerability. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/M-072.shtml 
 ORIGINAL BULLETIN:  http://www.freebsd.org/security/security.html#adv 
______________________________________________________________________________

[***** Start FreeBSD Security Advisory FreeBSD-SA-02:23.stdio *****]

=============================================================================
FreeBSD-SA-02:23.stdio                                      Security Advisory
                                                          The FreeBSD Project

Topic:          insecure handling of stdio file descriptors

Category:       core
Module:         kernel
Announced:      2002-04-22
Credits:        Joost Pol (joost@pine.nl)
                Georgi Guninski (guninski@guninski.com)
Affects:        All releases of FreeBSD up to and including 4.6-RELEASE
                4.6-STABLE prior to the correction date
Corrected:      2002-04-21 13:06:45 UTC (RELENG_4)
                2002-07-30 15:42:11 UTC (RELENG_4_6) 
                2002-04-21 13:08:57 UTC (RELENG_4_5)
                2002-04-21 13:10:51 UTC (RELENG_4_4)
FreeBSD only:   NO

0.   Revision History

v1.0  2002-04-22  Initial release
v1.1  2002-04-23  Patch and revision numbers updated
v1.2  2002-07-29  procfs issue; updated patch

I.   Background

By convention, POSIX systems associate file descriptors 0, 1, and 2
with standard input, standard output, and standard error,
respectively.  Almost all applications give these stdio file
descriptors special significance, such as writing error messages to
standard error (file descriptor 2).

In new processes, all file descriptors are duplicated from the parent
process.  Unless these descriptors are marked close-on-exec, they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order,
starting with the lowest unused file descriptor.  For example, if a
newly exec'd process has file descriptors 0 and 1 open, but file
descriptor 2 closed, and then opens a file, the new file descriptor is
guaranteed to be 2 (standard error).

II.  Problem Description

Some programs are set-user-id or set-group-id, and therefore run with
increased privileges.  If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error.  The program may then read data from or write data to
the file inappropriately.  If the file is one that the user would
normally not have privileges to open, this may result in an
opportunity for privilege escalation.

The original correction for this problem (corresponding to the first
revision of this advisory) contained an error.  Systems using procfs
or linprocfs could still be exploited.  The dates for the original,
incomplete correction were:

Corrected:      2002-04-21 13:06:45 UTC (RELENG_4)
                2002-04-21 13:08:57 UTC (RELENG_4_5)
                2002-04-21 13:10:51 UTC (RELENG_4_4)

III. Impact

Local users may gain superuser privileges.  It is known that the
`keyinit' set-user-id program is exploitable using this method.  There
may be other programs that are exploitable.

IV.  Workaround

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

None.  The set-user-id bit may be removed from `keyinit' using the
following command, but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

[FreeBSD versions 4.5-RELEASE-p4 or later, 4.4-RELEASE-p11 or later,
 4.6-RELEASE, and 4.6-STABLE]

Unmount all instances of the procfs and linprocfs filesystems using
the umount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

V.   Solution

The kernel was modified to check file descriptors 0, 1, and 2 when
starting a set-user-ID or set-group-ID executable.  If any of these
are not in use, they will be redirected to /dev/null.

1) Upgrade your vulnerable system to 4.6-STABLE; or to any of
the RELENG_4_6 (4.6.1-RELEASE-p1), RELENG_4_5 (4.5-RELEASE-p10), or
RELENG_4_4 (4.4-RELEASE-p17) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.


[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.v1.2.asc

[FreeBSD versions 4.5-RELEASE-p4 or later, 4.4-RELEASE-p11 or later,
 4.6-RELEASE, and 4.6-STABLE]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio2.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio2.patch.v1.2.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.


VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
-------------------------------------------------------------------------
sys/sys/filedesc.h
  RELENG_4                                                       1.19.2.4
  RELENG_4_6                                                     1.19.2.4
  RELENG_4_5                                                 1.19.2.3.6.1
  RELENG_4_4                                                 1.19.2.3.4.1
sys/kern/kern_exec.c
  RELENG_4                                                     1.107.2.15
  RELENG_4_6                                               1.107.2.14.2.1
  RELENG_4_5                                               1.107.2.13.2.2
  RELENG_4_4                                                1.107.2.8.2.3
sys/kern/kern_descrip.c
  RELENG_4                                                      1.81.2.12
  RELENG_4_6                                                    1.81.2.14
  RELENG_4_5                                                 1.81.2.9.2.2
  RELENG_4_4                                                 1.81.2.8.2.2
sys/conf/newvers.sh
  RELENG_4_6                                                1.44.2.23.2.6
  RELENG_4_5                                               1.44.2.20.2.11
  RELENG_4_4                                               1.44.2.17.2.16
-------------------------------------------------------------------------

VII. References

PINE-CERT-20020401 <URL:http://www.pine.nl/advisories/pine-cert-20020401.txt>

[***** End FreeBSD Security Advisory FreeBSD-SA-02:23.stdio *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of FreeBSD for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
M-064: Cisco web interface vulnerabilities in ACS for Windows
M-065: Red Hat Race Conditions in "logwatch"
M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities
M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities
M-068: Microsoft IE and Office for Macintosh Vulnerabilities
M-069: Microsoft SQL Server Unchecked Buffer Vulnerabilities
CIACTech02-003: Protecting Office for Mac X Antipiracy Server Ports
M-070: Apache HTTP Server on Win32 Vulnerability
M-071: Oracle9i User Privileges Vulnerability


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH